10: Implementing Information Security

SecSDLC implementation phase

accomplished through changing configuration and operation of organization's information systems

Implementation

includes changes to procedures, people, hardware, software, and data

Organization

translates blueprint for information security into a concrete project plan

Information Security Project Management

Once organization's vision and objectives are understood, process for creating project plan can be defined

Major steps in executing project plan

Planning the project, Supervising tasks and action steps, Wrapping up

Information Security Project Management

Each organization must determine its own project management methodology for IT and information security projects

Developing the Project Plan

Creation of project plan can be done using work breakdown structure (WBS)

Developing the Project Plan

Each major WBS task is further divided into smaller tasks or specific action steps

Project Planning Considerations

As project plan is developed, adding detail is not always straightforward; Special considerations include financial, priority, time and schedule, staff, procurement, organizational feasibility, and training

Financial Considerations

No matter what information security needs exist, the amount of effort that can be expended depends on funds available

Cost benefit

-- analysis must be verified prior to development of project plan; Both public and private organizations have budgetary constraints, though of a different nature

Priority Considerations

In general, the most important information security controls should be scheduled first; Implementation of controls is guided by prioritization of threats and value of threatened information assets

Staffing Considerations

Lack of enough qualified, trained, and available personnel constrains project plan;

Experienced staff

is often needed to implement available technologies and develop and implement policies and training programs

Changes

should be transparent to system users unless the new technology is intended to change procedures (e.g., requiring additional authentication or verification)

Training and Indoctrination Considerations

Size of organization and normal conduct of business may preclude a single large training program on new security procedures/technologies; Thus, organization should conduct phased-in or pilot approach to implementation

Project scope

concerns boundaries of time and effort-hours needed to deliver planned features and quality level of project deliverables

Project scope definition

the functionality that will be delivered by the new system. (It also includes resources that must be acquired and disposal of resources no longer needed.)

scope creep

Projects that are poorly planned may incur --

scope creep

incurred when projects are poorly planned

Information security project plans

should not attempt to implement the entire security system at one time

The Need for Project Management

Project management requires a unique set of skills and thorough understanding of a broad body of specialized knowledge; Most information security projects require a trained project manager (a CISO) or skilled IT manager versed in project management techniques

WBS

work breakdown structure used for project plan creation

CPM

critical path method used in project planning and scheduling

Critical Path

the sequence of stages determining the minimum time needed for an operation or project

Supervised Implementation

Some organizations may designate champion from general management community of interest to supervise implementation of information security project plan; An alternative is to designate senior IT manager or CIO to lead implementation

Leadership selection

It is up to each organization to find the most suitable leadership for a successful project implementation

Post-Audit

Project wrap-up other term

Project wrap-up

is usually handled as procedural task and assigned to mid-level IT or information security manager

Project Wrap-up

Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting

wrap-up

Goal of -- is to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process

Technical Topics of Implementation

Some parts of implementation process are technical in nature, dealing with application of technology

Conversion Strategies

As components of new security system are planned, provisions must be made for changeover from previous method of performing task to new method

Four basic approaches to conversion

Direct changeover, Phased implementation, Pilot implementation, Parallel operations

The Bull's-Eye Model

Proven method for prioritizing program of complex change;

The Bull's-Eye Model

Issues addressed from general to specific; focus is on systematic solutions and not individual problems

The Bull's-Eye Model

Relies on process of evaluating project plans in progression through four layers: policies, networks, systems, applications

To Outsource or Not

Just as some organizations outsource IT operations, organizations can outsource part or all of information security programs

To Outsource or Not

Due to complex nature of outsourcing, it's advisable to hire best outsourcing specialists and retain best attorneys possible to negotiate and verify legal and technical intricacies

Technology governance

complex process an organization uses to manage impact and costs from technology implementation, innovation, and obsolescence

The Culture of Change Management

Prospect of change can cause employees to build up resistance to change;

The Culture of Change Management

The stress of change can increase the probability of mistakes or create vulnerabilities; x

The Culture of Change Management

The stress of change can increase the probability of mistakes or create vulnerabilities; Resistance to change can be lowered by building resilience for change

Lewin change model

unfreezing, moving, refreezing

Three-step process for project managers

communicate, educate, and involve

Developing a Culture that Supports Change

Ideal organization fosters resilience to change

Resilience

organization has come to expect change as a necessary part of organizational culture, and embracing change is more productive than fighting it

Developing a Culture that Supports Change

To develop such a culture, organization must successfully accomplish many projects that require change

Accreditation

authorizes IT system to process, store, or transmit information; assures systems of adequate quality

Certification

evaluation of technical and nontechnical security controls of IT system establishing extent to which design and implementation meet security requirements

SP 800-37

Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems

NSTISS Instruction-1000

National Information Assurance Certification and Accreditation Process (NIACAP)

ISO 17799/27001 Systems Certification and Accreditation

Systems Certification and Accreditation guidelines